Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.
Debian Security Advisory 1125-1 - Several remote vulnerabilities have been discovered in the Drupal web site platform, which may lead to the execution of arbitrary web scripts.